If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

How can I spot different CD copying protections and how can I defeat them?
How can I bypass a proxy server and access blocked sites?
Hacking ICQ explained
How to crash someones computer on a windows 9x network
Getting network login passwords ( by Max van Gorkum )
Emails

What are the different CD copying protections and how can I defeat them?

Here are most of the CD protections used to protect games and applications from people trying to copy them with their CD-R's. Most of the files and programs I mention here can be downloaded from http://www.cdrsoft.com .

CD-Cops

If your CD is protected with CD-Cops, when executing the main .exe file, a window appears with the words CD and Cops in the title. Also, the following files will be present in the installation directory:

CDCOPS.DLL

Files with the .GZ_ and .W_X extentions.

To defeat this you can use the 'CD-Cops decrypter' - which should work on some CD's.

Copylok

No details yet known.

Copy-Protected CD & The Bongle

At present there is no generic patch available, so it likely you will need to find specific patches for each CD (i.e. look for a CD crack).

DiscGuard

A CD protected with DiscGuard will have the following files on the CD or in the installation directory:

IOSLINK.VXD

IOSLINK.SYS

At present there is no generic patch available, so it likely you will need to find specific patches for each CD (i.e. look for a CD crack).

LaserLock

A LaserLock protected CD will have a hidden directory called "Laserlok" on it. This directory can be seen if you tell windows to "show all files". The folder was designed to contain files with unreadable errors so that the CD could not be copied correctly.

At present there is no generic patch available, so it likely you will need to find specific patches for each CD (i.e. look for a CD crack). Sometimes this kind of protection can be got round using the 'Ignore Read Error' setting that a few good CD copiers have (CDRWin, Nero, DiskJuggler).

LockBlocks

A LockBlocks protected CD will have 2 circles (5 mm and 3 mm), which cause a CD-R to lockup when being read.

At present there is no generic patch available, so it likely you will need to find specific patches for each CD (i.e. look for a CD crack).

SafeCast

Detection on this is unknown at this moment in time.

SafeDisc

A CD protected with SafeDisk will have the following files on the CD:

00000001.TMP

CLCD16.DLL

CLCD32.DLL

CLOKSPL.EXE.

GAME.EXE <replace game with the game title>

GAME.ICD <replace game with the game title>

To defeat this you need to Create a 1:1 copy of the CD and then use the "Generic SafeDisc Patch" (available from http://www.cdrsoft.com" to allow you to play the copy. Another method is to look for a patched game.exe file (do a search in a good search engine) and then do the following:

Create an image of the CD on your hard drive, but use the patched game.exe instead of the one actually on the CD. It is often better to use the CD-R drive to get the image file because the CD-R drive is more likely to avoid read errors.
Write the image file onto a blank CD-R at 1x (this will help to avoid errors).
SecuROM

If a CD uses the SecuROM protection scheme, one of the following files will exist in the installed directory OR in the root of the CD:

CMS16.DLL

CMS_95.DLL

CMS_NT.DLL

To defeat this you can use a generic patch:

SecuROM R1: Get Generic SecuROM R2

SecuROM R2: Get Generic SecuROM R3

SecuROM R3: Get Generic SecuROM R4 v1.1

SecuROM R4: Get Generic SecuROM R5 v5.1

SecuROM R5: Get Generic SecuROM R5 v6.0

Here are some other techniques that are frequently used to protect CD's

Dummy Files

This can be detected by looking for large dummy files, mostly over 600 Mb, in the root of the CD (usually with a .AFP extension).

If the original CD is smaller than 659 Mb, you can do a CD copy which will re-create the exact Dummy Files on the copied CD. If the original CD is over 659 Mb then OverSize a 74 Minutes CD-R or just use an 80 Minutes CD-R to make an exact backup.

Illegal Table Of Contents (TOC) file

This can be found by examining the tracks of the source CD. Usually there will seem to be a second data track (which is not allowed). Commonly, this track will appear after some audio tracks.

You can now bypass the illegal TOC files deliberately put on CD's as a form of protection by using a program such as 'Nero' or 'CDRWIN'. These programs have an option to ignore an illegal TOC file.

Protection Info

OverBurning CD's

To detect this, use a 74 minute writable CD and choose to do a test before writing - if the source CD has been overburned then the CD copier will come up with an error and tell you that your CD is not big enough (even if the source and destination CD's are both 74 mins!!).

To defeat this you can use a program such as 'Nero' or 'CDRWIN' to OverSize the CD-R using a capable CD-Writer . However, this can be dangerous if your CD writer does not support overburning - but there is another way! Simply get hold of an 80 minute writable and copy the source CD onto that!

The games 'Half Life', 'Kingpin', and 'Commandos' all use this method of protection.

Physical Errors

The CD is damaged on purpose. Most CD-Readers are not able to "copy" these kind of errors and will stop reading the CD. Few CD-Readers are able to copy these errors. The program 'BlindRead' can be very handy copying this protection.

PlayStation CD's

During the boot, the PSX chipset checks for an unknown sector on the CDS. This unknown sector is outside the mechanical range of the CD-Reader pickup. Therefore it is NOT possible to copy this track onto a CD-R.

To defeat this, install a modified Boot Chip (ModChip) inside the Playstation. This will trick the PlayStation so it thinks the inserted CD contains the right Country-Code & Bad Blocks.

Sega DreamCast CD's

The Dreamcast actually uses GD-ROMs, which hold a maximum of 1Gb of Data instead of the standard 650-700 Mb. This provides a good level of copy protection as they cannot be reproduced using a standard CD-Writer.

A GD-ROM consists of 2 DATA tracks. The first is usually between 10 & 50 Mb and can be read by a normal CD-Reader. The second track is written in a high density format which is NOT accessible by a normal CD-Reader.

At the moment, there doesn't appear to be a perfect way of copying these CD's.

I have had quite a few requests from people asking me how to access sites that are blocked at college or at work. It is quite difficult, if not impossible, for me to tell you exactly how to bypass the proxy server. This is because there are so many different ones out there, and bypassing one relies heavily on how the computers are set up. Anyhow, here are 3 techniques to access blocked web sites which might just work!

Technique 1

Say there is an url that you really want to get to - e.g.www.hackers.com - but whenever you try to access it you get "Access Denied" or something similar. One way I have found which sometimes works is to:

Go to http://come.to (or any other redirection service) and set up a new redirection url. A redirection url is an address which will take you somewhere else when you type it in. Typically these are used by people who have free webspace with really really long urls like http://www.myfreespaceonmyisp.com/us...rman/index.htm - now thats not a good address is it? So, the owner of the site would go to a redirection service (like come.to) and register a redirect url. Then, instead of giving out the long url to all his friends, he can give them the new, shorter redirect url - which would typically be something like: http://come.to/herman .
Set up the redirect url to go to the banned web site - in this case http://www.hackers.com
Once registered - simply type your redirect url and bingo! if it works you will be taken to the banned site!
This may or may not work - I have had this work for me though. It works because the title at the top of the browser and the address in the the url box remain the redirect url and do not change to the banned site.

Technique 2

Optiklenz from "Legions Of the Underground" has a method called the ' Defunct IP Protocol' which may just work:

If you take an IP in standard form, and convert it to a defunct IP (this is how optiklenz reffers to it) the defunct IP will still work just like the normal IP, but because it has no decimals separating segments it is perceived as an Intranet host rather than an IP - and Intranet hosts usually have very little security precautions assigned to them.

Here is optiklenz's description of how a defunct IP is created form a standard IP:

Seeing that IP's are 32 bits in 4 8bit segments. If you take 32 (bits of the ip) and multiply it by 8(bits of each ip segment) you get 256 bits or a cluster of 1's, and 0's depending on how you are looking at it. =]

The give an example of how we go from an IP in decimal form to a defunct ip. We'll use www.legions.org. Resolve the domain name. In this case we have 199.227.88.145:

[segments referred to as SEG]

********************

256| 3-2-1 method...

********************

32(8) = 256

|_SEG1(199)*256^3

|

SEG2(227)*256^2_+

|

SEG3(88)*256_+

|

SEG4(145)_+

|

145_+ -= 3353565329 (new identifier)

Defunct IP: The reason I call the new identifier a defunct IP is because when it goes through the above process it is no longer decimal form. So I refer to it as a "dead ip"

Now, this defunct IP is no longer really an IP and therefore any security implementations that occur for an IP address are no longer present. So, to answer the question above, If you have access to a computer where internet sites are blocked behind a proxy, you can use the defunct IP so that the security measures no longer apply.

You can see that this is an important factor for any system admin to take on board. Now, lets make it clear - this technique is not very likely to work on the web site that you want to access...but its worth a try! There is a program included with this volume called DIP.EXE. This is a quick little program I threw together. It will convert a hostname to an IP address, and then convert the IP to a DIP. Try it!

Technique 3

Ok, this is a pain - and should really only be even considered if you are desperate to access a site!

There are these services on the net called WebMail servers. These servers allow you to send mails to them requesting particular web pages. The idea is that you send an email with the command 'GO http://www.banned.com/page.html' and they will send you the page (through to your email) in the form of html. Ok, so you can probably already see the limitations of these as I speak...but they do work. The problem is that some of these servers take minutes to send it - some take days!

Also, some of them have loads of commands which makes things quite confusing. For example, some of them send you the page in text format unless you actually specify that you want the html - and some of them only send you images if you specify as well.

Here are some of these servers and their commands - to use them, email them using the syntax below and leave the subject line blank.

Some of the things I mention may only work for certain versions of ICQ. Mirabilis (The makers of ICQ) frequently update ICQ to get rid of vulnerabilities.
I am not an ICQ expert (largely because I tried to get the manual on the ICQ protocol but failed because it was a broken link!). I used to use it, but I grew tired of it and uninstalled it. I have recently re-installed it for the purposes of this tutorial.
Although I will refer to a few ICQ programs (script kiddie style programs) I want to make it clear that this tutorial will focus around you doing the hacking yourself...not just downloading kiddie cracks!
If you are using an ICQ clone for a different O/S (such as Linux you clever little devils!) then most of these techniques probably won't apply to you (since Linux ICQ clones get round most of the problems themselves anyway!).
Ok..lets look at some questions:

How can I get someones IP address on ICQ?

Some people will want to be able to get peoples IP addresses from ICQ. This is usually so that they can port scan the IP in search of services or exploits that may be present on the computer. Also, if you go on an IRC server that masks your IP (i.e. hides it) and you want to get someones IP for one reason or another...you might be able to get it through ICQ as alot of people who use IRC also use ICQ.

To get someones IP address:

1> Click the users Nickname on your contact list

2> Choose 'User information' or 'User details' or similar.

3> There should be a box stating their current or last IP. If it is blank...they have the IP masking feature on.

I tried that...but the persons IP is hidden!

There is an option to hide your IP from other ICQ users (which is pretty damn sensible)..and your target probably has this turned on. Now, although he probably feels safe in the knowledge that his IP can not be found...he is wrong.

Think about it...because ICQ works in such mysterious ways - when you send a message to another user, your ICQ client HAS no know the IP of the person you are trying to contact or else it won't be able to connect to him and give him the message. Therefore, in reality - your ICQ client actually knows everyones IP address...it just isn't telling you them!!

There are patchs (script kiddie alert) which will modify your ICQ client to make it show the IP addresses of all the users (regardless of whether they have the IP hiding option on or off) and I believe you can probably get one from http://www.warforge.com - or a search in a good search engine will usually get you one. However...

There is a more funky way. There is an msdos program called 'NetStat' which you can use by going to a dos prompt and typing 'Netstat'. The Netstat program is used to show connections and listening ports on your computer. Try it, go to a dos prompt and type:

Netstat -a

This will then bring up a list of all connections and listening ports on your computer. Do this once, and then go back to your ICQ client (leave the dos window open). Now send something to your target (the person whose IP you want to get), either a message or an url or something.

Now go back to the dos window and type 'Netstat -a' again. There should be a new connection there somewhere which should be in the 'established' mode. On that line is also the IP address of the person who the connection was made to - yes thats right...your target!

ALSO, it will show the ICQ port of your target. This is because it shows the port your computer is communicating with them on. It will usually be between 1024 - and 2000 and it follows the IP in the format:

<IP address>:<Port>

So in Netstat, the port appears after the ":" next to the IP. The port might be useful for you later.

I know it sounds like a bit more work than just installing an ICQ patch/mod but this is definately the most elite way to do it. Oh, and trying this without any other Internet related programs running will make netstat respond a bit quicker, and make it easier to read.

What Port does ICQ open on my computer then?

It varies, usually between 1024 to 2000

Are there any exploits for the "ICQ Homepage" feature?

I have heard of three good ones. The first allows you to read any file of the persons hard drive, and the second allows you to crash the persons ICQ client.

ICQ Homepage was a feature included in version "ICQ99a build #1700" and up. It allows ICQ users to run a kind of personal web server from their computer. The directory \icq\homepage\ is the default directory which ICQ uses, and it allows anyone who connects to your web server to access things in that directory. However, you can use a directory climbing exploit to move up in the persons hard drive.

So, if you access the persons web server and instead of asking for a normal file or directory...type:

/../../../

You would no longer be in "c:\program files\ICQ\Homepage\" you would be in "c:\". You can then continue as normal and browse his entire hard drive. By the way, "/../../../" simply means "Go up 3 directory's". I could also have used:

/..../"

This means exactly the same thing. In reality, step by step that command would make you go to:

c:\program files\ICQ\Homepage

to

c:\program files\ICQ\

to

c:\program files\

to

c:\

So, no longer are you bound to only being able to view the "homepage" directory - you can see all. Now, say I connected to his ICQ web server and I wanted to view the c:\windows\ directory - I would type:

/..../windows/

But, there is another problem! ICQ web server will only let you view .html .jpg and .gif files - which makes you think "So whats the point in viewing all the file on his hard drive...if I can't actually read them!!" - well, think again - another exploit is also present.

Ok, lets say I want to view his "c:\windows\win.ini" file. ICQ web server won't let me because it doesn't let you access .ini files. Here'swhat you would type to get round it:

/..../.html/windows/win.ini

Seriously, that works! it tricks ICQ web server because it sees the '.html' in the address.

As far as I know, the web server exploits are in versions "ICQ99a build #1700" and "ICQ99a build #1701"...but there is another tiny exploit in the newer version of ICQ's homepage:

Now they have fixed the directory climbing exploit - there is another little thing you can still do with it. This time it allows you to check whether certain files exist on their computer. I know this isn't all that useful...but i'm sure some people will find this damn useful!

Lets get some background -

When you connect to a web site and request a file that doesn't exist, the web server returns the error code '404'. This means that the file does not exist. Now, if the file does exist - but you are not allowed to access it, you will receive error code '403' which means forbidden.

If you connect to a newer ICQ homepage user, the /..../.html/windows/win.ini bug won't work - but let's take a look at the error message you get!

URL: /..../.html/windows/win.ini
ERROR #: 403: Forbidden

hmm, now lets try:

URL: /..../.html/windows/qwasquatnot.ini
ERROR #: 404: Not Found

Caught on yet? yes, thats right...if you use the exploit to get to a file that exists - you recieve error code 403. If you use the exploit to get to a file that doesn't exist - you get error code 404.

Using this you can check whether particular files are present on the targets hard drive.

The other problem I know of is only present in Build #1700. It allows you to crash anyones ICQ client if they are running the Homepage facility. Simply:

Go to startmenu > run
Type: Telnet <their IP> 80
Wait until you get a connection and then type: 'GET' or 'QUIT' or something which is a non-standard web server command.
In around 5-10 seconds they should dissapear from your 'online' list - this is because their ICQ has crashed.
How can I get someones UIN by just knowing their IP?

Ok, firstly - why would you want to do this? Say you are on IRC and someone nukes you or floods you and you want to show him how good you are, or search his computer for exploits you know of - wouldn't it be great if we could get his ICQ number! If you had that, you might also be able to use the ICQ personal information to get more info about this loser! Well, you can get his IP easily enough - so here's how you get the UIN from the IP!

ICQ message spoofers (fakers) work in a different way to ICQ messages. Message spoofers don't require you to know the UIN of the person (why would they need to?) they simple ask for the persons IP. I think you could probably get one from any hacking web site out there.

So, the general idea is that you:

1> Get his IP. To get it in IRC simply type: /dns <nickname>

2> Spoof a message to them from your UIN (yes, spoof it from yourself - it does make sense) which will make them reply to you. I will leave this to your imagination, but something like: "I have some working credit card numbers, do you want to swop lists?" usually works!

3> When they reply you will get their UIN !!!!!!

4> You can then use it to look up info on them, or just to have a massive rant at them!

How can I see Invisible users?

ICQ lets people make themselves invisible to certain people. By this it means that it will not show the people you specify that you are actually online - even if you are. This can be useful if you are avoiding someone.

So, how do you see invisible users? Well, this might work for you:

ICQ has a feature called 'Web-aware' which allows other people to go to your personal ICQ web page and see whether you are online or not and do other fun and pointless things. However, this could be pretty useful for us!

Now look on the page to see if there is a little image telling you whether he is online or offline.

This is not 100% going to work, as there is an option to switch web-aware off in the preferences.

How can I screw up ICQ?

Spoof a message to someone from their own UIN. If they then add themselves to their own contact list - next time they open ICQ their DB files will corrupt. This means they lose all their contact list.

How can I get someones ICQ password?

Versions before ICQ99b store the ICQ password in plain text (i.e. not encrypted) in their DB file (I believe they are now encrypted? - email me if I am wrong). The DB file is located in the following different places depending on your version:

Version lower that ICQ99a = \ICQ\DB\

ICQ99a = \ICQ\NewDB\

ICQ99b = \ICQ\DB99b\

Simply look through the file for the password - it usually appears on the line beginning "iUserSound". You could also use the web-server exploit detailed earlier to get the DB file.

Well I think thats enough for ICQ right now! Maybe I will come back to the topic as more exploits arise.

In theory this technique should allow you crash anyone on your LAN (local area network, i.e. your office/college network) provided they are using Windows 9x (95/98/Millenium?). I am told that this will not crash computers running NT or 2k - although I have not been able to test this.

Has anyone heard of the "win98-con" or "con\con" crash? Well the general idea is this (I wonder how many of you will do this!!):

Go to start menu
Choose Run
Type "\con\con"

Ok, now I will pause for a little while so that the people who tried that have enough time to reboot their computers!! tum tee tum...

When you try to go to a place with \con\con in the name - boom! you will recieve the blue screen of death (the windows crash screen) and you will have to reboot. So trying to go to:

c:\hacking\texts\con\con\vol5.htm

will also crash the computer. This exploit is present in all versions of win 95 and 98. Have you ever tried to create a folder and call it 'con' ? - well try it...windows won't let you. This is because con is kind of like a "reserved" word. Con is not the only one though, there are a few more - but the only other one I can remember is 'Aux'. \aux\aux should also produce the desired effect.

I though this was pretty cool, especially to do to peoples computers when they aren't watching! But apprently it gets even better!

You can use this \con\con thing to crash any computer you like on a network using a small link in html code. There is one restriction though, the computer you are going to crash MUST have at least one shared directory. I will go more in depth into file sharing next volume. For now, to check whether a computer has a share you can use the Nbtstat.exe program (which comes with windows and runs in msdos).

To use Nbtstat to find out if a computer is sharing - in dos type:

Nbtstat -a <target computers IP>

If you get anything useful back, look at the column under says "Name". This is a list of the share names - which is what we are interested in.

Actually to be honest, its probably easier if you find out what shares are on your computer...since most networked computers are set up exactly the same. To find what shares you have, type:

Nbtstat -n

Once you have a share name, create a new web page, and place a link like the one below:

Then i insert my floppy, and copy as much *.pwl files I can find to the floppy. When I'm at home, i insert the floppy in my pc, and I use the program REPWL (or you can use a program similar to that one) to get all the passwords from the pwl files.

Then you get all the passwords of your administrator and all the others. TADA! You can of course insert some trojans so you can remote control the network on your school.

I will use this section in future volumes to just go over a few of the emails I have had from readers of the Hack FAQ's. Often I get questions which are asked by quite a few people - so I will to include the answers here as well.

How can I crack Windows NT passwords?

You need a Windows NT password cracker/decrypter - L0pht Crack is the best around:

To hack a DUN password (i.e. to obtain the persons dial up password in plaintext) you either have to get a copy of the persons .pwl files from their c:\windows directory and use a program like 'Cain' to decrypt them OR use a program which will swipe the password from memory (usually only works if they use the 'save password' option in DUN). However, you want to get the passwords via the Internet which proves more difficult. To hack someones DUN passwords over the Internet is not really what you are asking - you need to know how to get access to a persons computer over the Internet. You can then get the .pwl files which store the DUN paswords.

So, you have a few options:

1> Port scan the IP addresses of the computers which you want to break into in hope of finding a vulnerability or trojan installed on the system.

2> Infect them with a trojan type program which will allow you to gain access to them over the internet (custom made trojans work best if you have time to make one).

[shadow]uraloony, Founder of Loony Services[/shadow]
Visit us at
[gloworange]http://www.loonyservices.com/[/gloworange]

just wanted to say how helpful these tutorials are to me and others like me. its going to take me a while to read them all though (few months probably) keep up the good work.
website suggestion: 3w.****microsoft.com

\"wise men talk because they have something to say, fools because they have to say something\"